The Wii has been hacked. While we were sleeping, a team of dedicated hackers finally got the homebrew ball rolling on Nintendo’s latest console. The trick, which was perfected last night, lets anyone execute their own code by utilising a savegame hack on a modified console. There’s no reason why it won’t work on an un-modded console, it just hasn’t been tested: unsurprisingly, none of the hackers own an unmodified Wii console.

It all started about a month ago with a pair of tweezers and a heavily modified Wii. The tweezer attack involves bridging pins of the Wii’s memory module whilst in Gamecube mode in order to access chunks of isolated Wii system memory. During Gamecube mode, the Wii’s 64MB of memory is split into two chunks: a 16MB chunk is allocated for Gamecube operation. The hack, however, tricks the system into allocating the Gamecube memory over the top of the restricted Wii memory. The memory is then dumped through a controller port, and it was this data dump that made what you’re about to read possible.

Inside this data dump was Nintendo’s public key, which is used to decrypt all of Nintendo’s game releases. Then another major discovery was made: It became apparent that an undocumented processor, nicknamed ‘Starlet’ by its discoverers, is located inside the graphics chip. This processor controls the Wii’s memory, security and cryptography, as well as almost all the peripherals. With the public key and some information on how Wii cryptography works, the Wii game discs can be decrypted and their contents harvested.

The holy grail of Wii hacking is a system exploit: finding where code can be injected into the system to gain low level access. We’re not there yet, although an alternative software based exploit where you examine existing game code for vulnerabilities and inject your own code into them has been written.

The story is correct as far as keys are concerned. If I want to send a message to you, that only you can decrypt, I encrypt the message with your public key. Your private key is then required to decrypt it. If you want to send an encrypted message to me, you would encrypt with your private key and I would decrypt with your public key.

Basically Nintendo is using a private key during manufacturing to encrypt the games, then decrypting at the console with the public key embedded in the console memory.

Bane wrote:If I want to send a message to you, that only you can decrypt, I encrypt the message with your public key. Your private key is then required to decrypt it. If you want to send an encrypted message to me, you would encrypt with your private key and I would decrypt with your public key.

You have the first part right but using the if I wanted to send you a message I would use your public key to encrypt it not my own private key. If I use my own private key anyone in the world would be able to decrypt it via my public key. On the other hand if I used the recipient of the message's public key to encrypt only the person with his private key can encrypt (which is hopefully them).

Yes I am well aware of that. I was trying to simplify it. If you want to get really complex. You can encrypt a message to me using my public key, then you could encrypt it again using your private key. This would ensure that only I could decrypt it (using my private key), I could validate that you sent the message by using your public key to decrypt the second round you setup with your private key. Again, this is a simplification.

My post wasn't meant to be complete instruction in public key cryptography , just to point out that you don't only use a private key for decryption, the key or keys you use depend on what you are trying to accomplish. I haven't read the wiki article, but if you are saying that you always use my public key to send me an encrypted message than your understanding or the wiki's description is flawed.

What nintnedo is essentially doing by encrypting using their private key and then decrypting on the wii using their stored public key is essentially encrypt once, decrypt many. So they encrypt a game one time, and any wii can decrypt. This is not a dumb way to do it all.

Last edited by Bane on Thu Jan 31, 2008 6:44 pm, edited 1 time in total.

If their using a private key to encrypt something all they are doing is verifying that the data came from them thus protecting the data's integrity much like a digital signature. This is due to that fact that anyone with the public key, which is everyone since its public, can decrypt it. This does not work and makes no sense at all if their trying to protect the confidentiality of the data in order to prevent people from playing the games or w/e.

I could be thinking about what they are using the key for wrong but thats the way asymmetric cryptography works. If you use your private key to decrypt something you'r not actaully hiding anything because anyone can decrypt it. Thats all I'm trying to say.

Last edited by themadhatter on Thu Jan 31, 2008 9:11 pm, edited 1 time in total.

I think what nintendo is trying to do is two fold, prevent non authorized code from running on the WII and prevent piracy of the data on the discs.

To get code to run on the wii I would have to have the secret key to encrypt my code, as teh wii unit appears to only have the public key. Conversely, to decrypt the code on the wii optical game disc, I would need the public key. They obviously knew the weakness of having only two keys which is why they tried to hide the public key in what they though was a secret area of memory.

The only way to really make this secure would be to have each wii have its own key pair in addition to the pair nintendo is using now... Can you figure out what the issue is with each wii having its own unique pair?

jimbob wrote:Having one key pair is probably sufficient in that Nintendo's aim is to raise the barrier to running copied game disks beyond the reach of most customers. It appears to have worked.

Jimbob

I agree with you, they primarily wanted to make hacking the wii more difficult. to that end they succeeded. They made it as complex as they could, without being ridiculous, which is the point I was trying to make by giving the descriptions I did.

Having each Wii have its own key pair in addition to the pair that nintendo is using would be an insane level of complexity that would be pretty much impossible to maanage as more and more consoles are made.